You create a new KeyStore by passing a null InputStream to the KeyStore load method. When you create a new KeyStore, the nCipherKM provider generates a KeyStore key that is used to sign trusted public certificate entries. The relevant signature is verified when public certificates in the KeyStore are used; this functionality prevents an attacker inserting new certificates into a KeyStore without the protection token that is needed to use the KeyStore key.

By default, the KeyStore protection key is OCS-protected. Ensure that the passphrase argument used with the KeyStore interface matches the passphrase of that OCS. When the KeyStore method is called, you must present a card with a matching passphrase from the required OCS. You can use the protect system property to change the protection type used for the KeyStore key; for more information about the protect property, see System Properties.

An existing KeyStore file is not overwritten if the KeyStore store method is called on an OutputStream directed at the same file path. Instead, the KeyStore at the existing path is used to store the keys in the new KeyStore. This operation fails if the passphrases for the two KeyStores do not match.